The VA's New EHR System: Weighing Risks, BenefitsMove to Same Vendor Used by DoD Should Ease Interoperability. But What About Security?
The Department of Veteran Affairs' implementation of an electronic health records system from the same vendor used by the Department of Defense likely will improve the security of vets' health data, but the move presents many new challenges, some health data security experts say.
For instance, while the move could streamline the secure sharing of records between the VA and DoD, the process of moving legacy VA data to a new platform poses potential breach risks.
As it carries out the guiding principal of improving the health of vets, "a big part of this is obviously safeguarding the privacy of our veterans. Data security will need to be one of the highest - if not the highest - priority in the program," notes Curt Kwak, CIO of Proliance Surgeons, a large surgery practice in Washington state, and former CIO of that state's health insurance exchange under the Affordable Care Act.
VA Secretary David Shulkin, M.D. announced Monday that the VA will adopt a records system based on Cerner Corp.'s Millennium EHR system, phasing out its old, home-grown VistA system.
But because the VA has "unique needs, many of which are different from the DoD," it won't be adopting the identical EHR in use at DoD, Shulkin says. Neverthless, by using a core platform from the same vendor as the DoD, the VA will improve interoperability between the EHRs used for both active military and veterans - as well as their beneficiaries - and eliminate the need "for manual or electronic exchange of information," he says.
Some security and privacy experts agree with Shulkin's assessment.
"Using a single EHR vendor for both the VA and DoD's medical facilities will make it easier for care providers at both federal agencies to view, access and make entries into a single longitudinal medical record for each individual patient," says David Kibbe, M.D., president and CEO of DirectTrust, which developed Direct, a secure healthcare email protocol. "This will eliminate the need, under most circumstances, for transport of records between medical facilities at the two agencies." Manual health record exchange as well as clumsy electronic attempts to share data can result in breaches.
But the project will certainly be complex, Kwak notes.
"It will take a lot of hard work and commitment from the best minds at both the VA and DoD, but the most important aspect will be the leadership commitment to see this through until the end," Kwak says.
"I can't say I agree or disagree with Dr. Shulkin's assessment [that the project will eliminate the need for manual or electronic data exchange], but I would ask the question: How would Cerner address all clinical, financial/administrative, infrastructure and patient web portal functions that VistA represents? I have to assume there will be a set of manual/electronic exchange or interface needed somewhere to ensure all functions are addressed."
"We have looked at the need for VA to adopt significant cybersecurity enhancements, and we intend to leverage the architecture, tools and processes that have already been put in place to protect DoD data, to include both physical and virtual separation from commercial clients," he says.
Because one-third of veterans get healthcare from non-VA providers, including academic medical centers and community partners, the VA will also encourage other EHR vendors to address interoperability between the VA's new Cerner-based platform and other systems, Shulkin says.
The VA and DoD have worked together for many years to advance interoperability between their many separate applications "at the cost of several hundred millions of dollars" in an attempt to create a consistent and accurate view of individual medical record information, Shulkin says. "The bottom line is we still don't have the ability to trade information seamlessly for our veteran patients and seamlessly execute a share plan ... with smooth handoffs," he says.
"Therefore we are embarking on creating something that has not been done before - that is an integrated product that, while utilizing the DoD platform, will require a meaningful integration with other vendors to create a system that serves veterans in the best possible way."
Shulkin says the goal is to have the VA's new EHR system in place faster than the approximately 26 months it took the DoD to implement its system.
While the migration from VistA will present risk - such as potential data loss and corruption that can occur in any large data migration project - the long-term outcome should be improved security of VA data and vastly improved interoperability between VA and DoD health records, some security experts say.
"Hopefully, the day of a veteran having to get a copy of his full record from DoD in paper and then take it to the VA are over," says Mac McMillan, president of security consulting firm CynergisTek and a former DoD information security leader. "With both [VA and DoD] being on the same EHR, and depending on how they manage the databases on the back end, it should be as simple as either a file transfer or a change in a field that designates a person either as active or veteran."
The trickier issues will continue to be interoperability and data exchange between VA and non-VA healthcare providers, he says.
Kibbe says that as the VA tries to encourage other third-party vendors to enhance interoperability with VA's new Cerner EHR platform, certain privacy and security hurdles will need to be overcome.
"The vulnerabilities are well known and the biggest one is always going to be identity," he says. "That is, how can the EHR platform ensure that the person operating the network and software is who he says he is? Authentication, ID proofing, encryption, strong training programs to avoid social engineering hacks ... these are the mainstays that have to be in place."
Among other benefits of having both VA and DoD facilities using a Cerner EHR is that Cerner strongly supports Direct exchange, the primary federal standard for exchanging health information electronically and securely across health IT vendor systems in the private sector, Kibbe notes. This will make it "very easy for both DoD and VA medical professionals to replace fax and mail with electronic messages and attachments," he adds.
As the VA begins its endeavor to modernize its EHR system after decades of using VistA, it must ensure that safeguards are in place to prevent breaches during the changeover process, Kibbe says.
The VA must "make certain that any contractors used in the migration process are completely up to speed on the privacy, security and identity controls required of the federal agencies themselves," he says.
User adoption and clinical workflow impact are two critical components that need to be addressed when a new EHR system is introduced, Kwak adds. "Also, with VistA being a massive, integrated platform developed in-house by the VA, there will be a number of legacy functions, data sets and dictionaries and most likely years and years of customizations and templates that will all need to be deciphered and transitioned as part of this change management onto Cerner."
Cris Ewell, CISO of University of Washington Medicine, says migrating to a new system can create challenges. "I have seen past issues where not all of the data is migrated - because of multiple reasons - and the [old] system must be kept live for a number of years. The old system does not typically get security updates and often can be targeted for breach."
Ewell also says that the plan for the VA and DoD to be on similar platforms doesn't necessarily guarantee smooth data interoperability between systems. "The main difficulty with mutual systems is with the specific configuration that each organization has in place. It is not always an easy task to share information between systems; it depends on all of the sub medical systems that may not be the same."
Changing systems is a huge project that must have the full support of executives, physicians, support staff and others, Ewell points out. "This includes the security staff, which must have a full review of the architecture, access and storage and what will happen to the legacy data. For instance, will it all be imported and then the old system decommissioned? Or must it stay in a read-only mode for many years? In the end, the ability to share data between systems and organizations is a very difficult task, with federation and trust being close to the top of the list."